Installation guide

ManualsBrandsBrocade Communications Systems ManualsOtherFCX624S-HPOE

Brocade FastIron SX, ICX, and FCX Series Switch/Router 08.0.01 Security Target Version 1.1, May 13, 2014

Page 41 of 48

NIST SP800-56B

Section Reference

“should”, “should not”, or

“shall not”

Implemented?

Rationale for deviation

6.6

shall not

Not applicable

7.1.2

Should

Yes

Not applicable

7.2.1.3

Should

Yes

Not applicable

7.2.1.3

should not

Not applicable

7.2.2.3

should (first occurrence)

Yes

Not applicable

7.2.2.3

should (second occurrence)

Yes

Not applicable

7.2.2.3

should (third occurrence)

Yes

Not applicable

7.2.2.3

should (fourth occurrence)

Yes

Not applicable

7.2.2.3

should not

Not applicable

7.2.2.3

shall not

Not applicable

7.2.3.3

should (first occurrence)

Yes

Not applicable

7.2.3.3

should (second occurrence)

Yes

Not applicable

7.2.3.3

should (third occurrence)

Yes

Not applicable

7.2.3.3

should (fourth occurrence)

Yes

Not applicable

7.2.3.3

should (fifth occurrence)

Yes

Not applicable

7.2.3.3

should not

Not applicable

Should

Yes

Not applicable

8.3.2

should not

Not applicable

Table 6 NIST SP800-56B Conformance

The TOE provides RFC compliant TLS and SSH implementations with no security related extensions.

The TOE uses a software-based random bit generator that complies with Special Publication 800-90 using

Hash_DRBG when operating in the FIPS mode. SHA-256 is used in conjunction with a minimum of 440 bits of

entropy accumulated from the processing stack, hardware serial numbers, and the low-order bits from the current

time of day.

The TOE supports the following secret keys, private keys and CSPs:

Key or CSP:

Zeroized upon:

Stored in:

Zeroized by:

SSH host RSA private key

Command

Flash

Overwriting once with zeros

SSH host RSA public key

Command

Flash

Overwriting once with zeros

SSH client RSA public key

Command

Flash

Overwriting once with zeros

SSH session key

End of session

RAM

Overwriting once with zeros

TLS host RSA private key

Command

Flash

Overwriting once with zeros

TLS host RSA digital certificate

Command

Flash

Overwriting once with zeros

TLS pre-master secret

Handshake done

RAM

Overwriting once with zeros

TLS session key

Close of session

RAM

Overwriting once with zeros

DH Private Exponent

New key exchange

RAM

Overwritten with new value

DH Public Key

Not applicable

RAM

Public value

User Password

Command

Flash

Overwriting once with zeros

Port Administrator Password

Command

Flash

Overwriting once with zeros

Crypto Officer Password

Command

Flash

Overwriting once with zeros

Firmware Integrity / Load DSA public key

Not applicable

Flash

Public value

DRBG Seed

Every 100ms

RAM

Overwritten with new value

DRBG Value V

Every 100ms

RAM

Overwritten with new value

DRBG Constant C

Every 100ms

RAM

Overwritten with new value

Table 7 Keys and CSPs